For many years, small businesses were an unlikely target for a sophisticated cyber attack. Having a relatively unknown brand and fewer financial resources worked in your favor to deter hackers. That has now changed. Hackers have shifted their focus due to the strong security defenses larger companies have acquired, which make it difficult for them to penetrate systems. As
a result, they are now targeting the most vulnerable companies – SMBs.
Why are SMBs the most vulnerable?
SMBs Don’t Get Security
Smaller companies are easy pickings for hackers. They lack the monitoring, forensics, logs, audits, reviews, penetration testing and other security defenses and warning systems that would alert them to a breach. Cyber attacks are automated and focused on discovering vulnerabilities. Once a vulnerability is discovered, they can hit multiple businesses with the same vulnerability. Assuming that hackers would need to pick your business out of 28 million others is far from the truth.
SMBs Lack Protection
Having the latest patches installed on every machine in your environment is the most efficient way to protect your business against attacks. If one computer in the environment is not patched, it can threaten the stability of the entire environment. We all witnessed the global scare from WannaCry – the ransomware attack that targeted businesses after discovering the vulnerability Microsoft issued a patch for in their recent update. They were looking for businesses that didn’t have the update installed. This is an example of a vulnerability. Think of a patch as a band aid – you cover a wound to protect it from infection. The most important function of an update is to put band aids on open wounds in your system. If you don’t install them or the update fails, you have an open wound that is vulnerable to infection.
SMBs Don’t Train Staff
Failing to train staff on their role in information security is an even greater mistake. Phishing attempts have become so sophisticated that the untrained eye would consider them legitimate. Attackers can pose as high-level officials or reputable companies and trick untrained staff members into making payments, clicking fake links that lead to malicious sites (where staff could unknowingly provide attackers with compromising information) or opening attachments that install viruses. These attempts can be quite convincing and your staff is your first line of defense.
SMBs Pay Up
Smaller businesses have a higher chance of paying a ransom. Why? Because they don’t have another way to retrieve stolen data in a ransomware attack. Without proper data backups, and given that the payment doesn’t run the company out of business, it is the only way to deal with the issue. Hackers are smart about this – they usually only ask for $5,000 or less from a SMB so they can afford it. When targeting multiple SMBs, they might even end up with a bigger payday without all the hassle.
Perception vs. Reality
SMB Threat Perception:
- 87 percent of SMB owners don’t believe they’re at risk of a cyberattack
- 66% say they are not concerned with hackers, cyber criminals or employees stealing data
- 47% believe a data breach would have no impact on their business
SMB Security Status:
- 87% do not have a formal written security policy
- 59% do not have a security incident response plan for a data breach
- 50% of users still use poor passwords
- 83% do not have a system to require employees to periodically change passwords
SMB Threat Reality:
- 62% of data theft victims are SMBs
- 73% of SMBs have been victims of a cyberattack
- 90% of data breaches can be traced back to SMBs
- 60% of SMBs shut down within 6 months of a breach
- 100% of SMBs are the perfect target for hackers